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1 . A method for establishing a secure network connection between a elieat-web 
browser on a client and a service, said client having r e sources inoludia g-a-web browser 
wife- havina a virtual machine, said web browser having access to a first key, said client 
web browser and virtual machine being of the type that downloads and executes applets 
while protecting against at least some e#eai4-client resources from being updated based 
on said applet execution, said method comprising: 

establishing an insecure network connection with said client web browser; 

downloading, over said insecure connection, at least one digitally signed applet to 
the client web browser, said at least one applet including: (a) a second key, (b) code 
executable on the client virtual machine to cause the client to store a-the_second key, and 
(c) code executable on the client virtual machine to use the stored second key tQ_establish 
a secure network connection with said service; 

before the client virtual machine executes the digitally signed applet, verifying the 
digitally signed applet at the client using the first key; 

executing the downloaded applet code with the client virtual machine, thereby 
causing the client to store a-the second key corresponding to the service; and 

further executing said at least one applet to cause said at least one applet to use 
the stored second key to authenticate the service and establish the secure network 
connection with the service. 
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2. The method of claim 1 wherein the applet includes a second key payload and 
further includes first program code that controls the client to store the second key to a 
non-volatile memory. 

3. The method of claim 2 wherein the non-volatile memory comprises a disk. 

4. The method of claim 2 wherein the applet further includes second program code 
that controls the client to use the stored second key to verify a signature subsequently 
provided by the server. 

5. The method of claim 1 wherein the applet further includes program code that 
controls the client to use the stored second key to verify a signature subsequently 
provided by the server. 

6. The method of claim 1 wherein the executing step includes controlling the client 
virtual machine to store, at the client, a-the_second key in the form of a digital certificate 
corresponding to the server, and the further executing step comprises receiving a digital 
signature from the server, and authenticating the received digital signature under control 
of the executing applet through use of the stored digital certificate corresponding to the 
server. 

7. The method of claim 1 wherein the further executing step includes having the 
executing applet invoke a further applet to establish a secure connection. 

8. The method of claim 1 wherein the applet comprises a signed Archive 
containing a digital certificate corresponding to the server, and a program fragment that 
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stores the digital certificate in a predetermined location on the client that permits the 
client to later retrieve the stored digital certificate, 

9, a siieat-web browser on a client for establishing a secure network connection 
witha service over a network, said client web browser including a virtual machine, said 
client web browser and virtual machine being of the type that download and execute 
applets while protecting against at least some resources o f said client roaourooo from 
being updated by said applet execution, said client comprising: 

an applet receiver that receives at least one digitally signed applet from the service 
over an insecure network connection, said at least one applet including: (a) a key, (b) 
code executable on the client virtual machine to cause the client to store the key, and (c) 
code executable on the client virtual machine to establish a secure network connection 
with said service, said applet being executed by the client virtual machine to cause the 
client to store the key delivered with the applet, the stored key allowing authentication 
between the client and the service; 

wherein the client web browser includes an applet verifier that, before executing 
the applet, verifies the digitally signed applet using a key different from the key delivered 
with the applet; 

wherein the client virtual machine further includes an applet executor that 
executes the applet, thereby controlling the client to store the key delivered with the 
applet, said delivered key corresponding to the server, and uses the stored delivered key 
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to authenticate the server and establish a secure network connection between the client 
and the server, 

10. A method for establishing a secure network connection with a elient-web 
browse r on a client , said client web browser including a virtual machine and having 
access toafirstkev » said client web browser and virtual machine being of the type that 
download and execute applets while protecting at least some of client resources from 
being affected by said applet execution, the method comprising: 

downloading, over an insecure network connection, at least one executable applet 
to the client virtual machine, said at least one applet including: (a) a feffee^secondkey 
corresponding to the server, (b) code executable on the client virtual machine to cause the 
client to store the further key corresponding to the server, and (c) code executable on the 
client virtual machine to establish a secure network connection with said server, the 
digitally signed applet being digitally signed such that the client virtual machine can 
verify the digitally signed applet using ft-the first key the olient posses s es before ooid 
dewfdeadifig, the at least one digitally signed applet including the further key and code 
executable by the client virtual machine that controls the client virtual machine to store 
the further key; 

sending a digital credential to the client, said digital credential being verifiable by 
the client applet using the stored further key delivered with the at least one applet; and 

establishing a secure network communication with the executing client applet 
based on said digital credential as verified by the client applet. 
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11. The method of claim 10 wherein the applet code controls the client to store 
the further key to a non-volatile memory, 

12. The method of claim 1 1 wherein the non-volatile memory comprises a disk. 

13. The method of claim 10 wherein the applet further includes further code that 
controls the client to use the stored further key to verify the digital credential. 

14. The method of claim 10 further including sending a further applet to the client 
in response to an invocation of the further applet by the at least one applet. 

15. The method of claim 10 wherein the applet comprises a signed Archive 
containing a digital certificate, and a program fragment that stores the digital certificate in 
a predetermined location on the client that permits the client to later retrieve the stored 
digital certificate. 

16. A server for establishing a secure network connection with a ©fceafr-web 
browser on a client over a network, said client having resources including the web 
browser and a virtual machine , said client web browser and virtual machine being of the 
type that download and execute applets while protecting at least some of said client 
resources from being affected by said applet execution, said server comprising: 

an applet transmitter that transmits at least one digitally signed applet to the client 
over an insecure network connection, the at least one applet being digitally signed using a 
first key the client possesses independently of the applet, said at least one applet 
including: (a) a second key corresponding to the server, (b) code executable on the client 
virtual machine to cause the client to store the second key, and (c) code executable on 
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the client virtual machine to establish a secure network connection with said server, the 
applet being executable by the client virtual machine to control the client to store the 
second key corresponding to the server; 

a digital credential transmitter that transmits a digital credential to the client 
executing the applet, the digital credential being authenticatable by the client using the 
second key; and 

a secure network connector that establishes a secure network connection with the 
client under control of the executing applet and based at least in part on the digital 
credential being authenticated by the second key delivered over the insecure network 
connection. 

1 7. A method for establishing a secure network connection between a server and a 
web browser on a client h aving access to a firstkey and also having a virtual machine, 
said web browser and virtual machine downloading and executing applets while 
protecting resources from being updated by said applet execution, said method 
comprising: 

downloading, to the browser over an insecure network connection, at least one 
digitally signed applet, the applet including: (a) a second key associated with the server, 
(b) code executable on the client virtual machine to cause the client to store the second 
key, and (c) code executable on the client virtual machine to establish a secure network 
connection with said server; 

verifying the digitally signed applet at the browser using the first key; 
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executing the applet with the virtual machine to cause the client to store the second 

key; 

using the stored second key to authenticate a further credential delivered by the 
server; and 

based on said authentication of said further credential, establishing, under control 
of the executing applet, a secure network connection between the web browser and the 
server. 

18. A method as in claim 17 wherein the applet comprises an archive. 
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